forked from gabrielsoltz/metahub
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlambda.py
56 lines (47 loc) · 1.97 KB
/
lambda.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import lib.main
from lib.helpers import get_logger
def lambda_handler(event, context):
logger = get_logger("INFO")
# Add your custom options here (e.g. Only Critical: ["--sh-filters", "SeverityLabel=CRITICAL"])
# Only used if triggering lambda manually, not from Security Hub Custom Actions
custom_options = []
# Actions the lambda will execute, if you don't need actions, keep this list empty
# Example, for enriching findings:
# actions = [
# "--enrich-findings",
# "--no-actions-confirmation",
# ]
actions = []
# These are the minimum options required to run the Lambda, don't change this
lambda_options = [
"--output-modes",
"lambda",
"--no-banners",
]
# Lambda execution
event_source = event.get("source")
event_detail_type = event.get("detail-type")
logger.info("Event Source: %s (%s)", event_source, event_detail_type)
# Code to handle Security Hub Custom Actions, execution by finding
if (
event_source == "aws.securityhub"
and event_detail_type == "Security Hub Findings - Custom Action"
):
event_detail = event.get("detail")
action_name = event_detail.get("actionName")
logger.info("Security Hub Custom Action: %s", action_name)
for finding in event_detail.get("findings"):
finding_id = finding.get("Id")
resource_id = finding.get("Resources")[0].get("Id")
logger.info("Security Hub Finding: %s", finding_id)
custom_options = []
# Search by ResoureId
lambda_options.extend(
["--sh-filters", f"ResourceId={resource_id}", "RecordState=ACTIVE"]
)
# Search by FindingId
# lambda_options.extend(["--sh-filters", f"Id={finding_id}"])
options = lambda_options + actions + custom_options
logger.info("Executing with options: %s", options)
execution_result = lib.main.main(options)
return execution_result